Coalfire CEO Tom McAndrew statement 


Westminster, CO - October 29, 2019 - The ongoing situation in Iowa is completely ridiculous, and I 
hope that the citizens of Iowa continue to push for justice and common sense. Today, we found out that 
charges against Justin Wynn and Gary DeMercurio, the two Coalfire employees at the center of the 
Dallas County Courthouse incident on September 11, 2019, have been reduced from felony accusations 
of Burglary in the third-degree and possession of burglary tools to criminal trespass. 

I do not consider this a “win” for our employees, and Coalfire will continue to support and aggressively 
pursue all avenues to ensure that all charges are dropped and their criminal records are purged of any 
wrongdoing. After the Iowa Supreme Court Chief Justice apologized and admitted mistakes were made, I 
was expecting all charges to be dropped. 

As seen in the statement of work that was made public online, our employees were simply doing the job 
that Coalfire was hired to do for the Iowa State Judicial Branch, a job similar in nature to one we did three 
years ago for the Iowa State Judicial Branch and have done hundreds of times around the world for 
similar clients. 

Active penetration testing, including physical penetration testing, is a best practice and a common 
engagement. We identify issues and risks before criminals find them. Oftentimes the risks are systems 
issues, sometimes the risks are as simple as finding a broken door that would allow a person with 
malicious intent to enter a secure area unnoticed. Our mission is to help our clients secure their 
environments and protect the people that work for them, their customers, and the confidential information 
they maintain. In this case, we were helping to protect the residents of Iowa. 

Our work included the testing of the physical security of county courthouses and judicial buildings. The 
specific locations were given to us by our client, documented in our statement of work, and confirmed 
multiple times, through email and phone conversations. 

After gaining access to the Judicial Branch Building, our employees were in communications with our 
client at the state level to let them know of their successful entry. They even left a business card on the 
desk of an employee. The following morning a state employee acknowledged the entry stating, “I guess I 
owe you a congratulations.” The day after the successful entry into the Judicial Branch Building, the 
employees walked up to the main entrance of Dallas County Courthouse around midnight. Our 
employees could have simply walked in through the front door since it was open - however, they chose to 
close and lock the door, so they could provide the state of Iowa with insights on ways that potential 
criminals could gain access. Our employees, being of the highest caliber and committed to delivering the 
best results on the project, chose to give the county the benefit of the doubt and test the courthouse as if 
they had found it in a secure state, which it was not. 

After gaining access through the locked door, our team intentionally tripped the alarm in order to test the 
security response, which was an objective of the project. After setting off the alarm in the Dallas 
courthouse, Mr. Wynn and Mr. DeMercurio stayed at the courthouse to meet County law enforcement 
responding to the alarm. When the initial law enforcement arrived, there were no issues as the team 
explained what they were doing and presented our engagement letter along with identification. As the 



team waited for a deputy to verify their credentials, they then showed the remaining officers how entry 
was made along with some of the tools and tactics that could have been used, much to the deputies’ 
delight, which I believe would be evident if video of the response was made publicly available. 

The team was ready to leave after one of the deputies returned the authorization letter to them and 
stated: “You guys should be all good to go.” It was at that point that the local sheriff, Chad Leonard, 
arrived at the Dallas Courthouse. Despite the authorization letter, his deputies onsite already having 
verified our team, and State employees urging their release, the local sheriff proceeded to arrest Mr. 

Wynn and Mr. DeMercurio. 

Failing to de-escalate the issue and bring in State/County politics, Sheriff Leonard communicated in an 
email “that this building belonged to the taxpayers of Dallas County and the State had no authority to 
authorize a break-in." Leonard also added that a state employee asked him not to tell other sheriffs about 
the incident to ensure the operation continued at other locations, but that he was going to tell every 
sheriff. 

I don’t know why he reacted the way he did. I’ve never met or spoken to Sheriff Leonard. Perhaps he 
didn’t like being tested without his knowledge or that our team found major security concerns at the 
facilities he was protecting. 

Sheriff Leonard failed to exercise common sense and good judgement and turned this engagement into a 
political battle between the State and the County. I was stunned that the next morning the issues were not 
resolved and were actually amplified when bail was set as $100,000. My priority has always been for the 
safety of our employees, and we immediately engaged legal support and posted a $100,000 bond to get 
our team out of jail and get them home. I spoke with the team immediately after their release and 
promised to do everything I could to get this resolved. I intend to keep my promise. 

Coalfire has done hundreds of these types of engagements, typically finding open doors, unconcealed 
passwords, and other items that criminals can use to exploit organizations. Our teams are often stopped 
by law enforcement or security personnel during these tests. When this occurs, the authorization letter is 
presented. This is the first time that the authorization letter and verbal calls from our client have not 
resulted in the immediate release of our employees. Frankly this matter is unprecedented within the tight- 
knit security industry and to our knowledge, no physical security professional has been arrested and 
officially charged while executing a contract. 

Mr. Wynn and Mr. DeMercurio were acting as professionals carrying out their state-authorized obligations 
focused on improving the security of the Judicial Branch. It is unacceptable that they are now pawns in 
the dispute between the state and the county related to governance of the court buildings. My concern is 
that common sense is not prevailing in this case. The fact that this case is still ongoing is a failure of the 
criminal justice system in Iowa. I am also concerned that the close working relationship between the 
Sheriff, District Attorney, judges, and local politics involved may have potential conflicts of interest and 
impede a fair trial. 

If what is happening in Iowa begins to happen elsewhere, who will keep those who are supposed to 
protect citizens honest? This is setting a horrible precedent for the millions of information security 
professionals who are now wondering if they too may find themselves in jail as criminals simply for doing 
their job. I believe that citizens of Iowa would benefit from using their resources to fix vulnerabilities, 



protect their data, and secure their public buildings rather than waste time and taxpayer money on this 
criminal pursuit. 

Coalfire is cooperating fully in the ongoing investigation. My hope is that the officials involved in this case 
will appropriately consider the context in which the actions of our employees were performed and the 
ongoing dispute between the state and the county related to governance of the court buildings. 

I have known both Gary and Justin for many years, and they are good people who have dedicated their 
lives to making the world a safer place. Gary and Justin, arguably our best physical pen testing team at 
Coalfire, choose to place themselves in harm’s way each and every physical test that they perform. They 
test the people who are supposed to keep citizens safe to ensure that they are doing their jobs. Yes, 
occasionally there are dangers associated with that as they must deal with law enforcement that may or 
may not understand what is happening. However, being the consummate professionals that they are, 
they are skilled in defusing situations and making them non-confrontational, much like they did on this 
engagement as no officer pulled a weapon of any sort. 

I am a Navy veteran of 20 years who continues to serve in the Navy Reserves because I believe in our 
great country. Unfortunately, today I'm embarrassed by the way our employees have been vilified, one of 
which is a former Marine Corps officer, for doing the job they were paid to do. I'm ashamed that no one 
has had the courage to step up and do what is right. People appear to be more concerned about their 
own jobs or the political repercussions. 

Drop the charges, purge their records. These men are unsung heroes, not criminals. 


About Coalfire 

Coalfire is the trusted cybersecurity advisor that helps private and public-sector organizations avert 
threats, close gaps and effectively manage risk. By providing independent and tailored advice, 
assessments, technical testing and cyber engineering services, we help clients develop scalable 
programs that improve their security posture, achieve their business objectives and fuel their continued 
success. Coalfire has been a cybersecurity thought leader for nearly 20 years and has offices throughout 
the United States and Europe. 


For more information, visit www.coalfire.com . 
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